Career Plan - from Networking to Information Security

I am currently working for a MNC as Sr. Executive - Projects, basically handling New Installation - Data Networking (Wired & Wireless LAN). Apart from this, I'll help my Sales Team in terms of Designing LAN n Wireless LAN Site Surveys.

I have 5+ years of experience (B. Tech. in IT, 2005 passed-out) but i am not satisfied with my job. I am actually loosing grip on Technical Part & now its more like Project Management thing. Apart from this, I am very keen towards Information Security.
I am planning to quit my job to prepare for CEH (Certified Ethical Hacking) & for that I have to get deep into Linux (I am planning for RHCE also) & Coding...

I am going take 6-8 Months break & prepare for following certifications:

Dont quit your job! A lot of time out of work will make it harder for
you to be hired. It may not be easy to find work when you want it. It
could prove very hard to break into those areas you will be studying.
Is it at all possible for you to move to something more technical within
your current company?
Consider getting one of those certs that might help get your foot in
the door and leave the others
to work on as you grow in the security field. You might want to
consider GIAC certification instead of CEH.
Hakin9- 1/2009- had a great article called Training -- the Security
Minefield by Chris Riley. I've excerpted his discussion of the CEH:

C|EH -- Certified
Ethical Hacker
The C|EH has been much hyped over the past few years as THE ethical hacking
cer tif ication. Even though the hype is still there, it 's become clear
that the C|EH
is no longer the only show in town. It is certainly still wor thwhile if
you plan to go
into the penetration testing or incident handling arenas. However there
are now
a range of other courses that rival this for top spot . I 've personally
found that
some companies are still adver tising for C|EH cer tif ied staf f,
however almost
exclusively alongside other qualif ications such as MCSE or Security+.
This goes
to prove that achieving a C|EH will not be the deciding factor in moving
into security, but is instead a midway point of sor ts. If you already
have other
qualif ications, the C|EH helps you clarif y your position and show that
you know
your stuf f when it comes to hacker tools and techniques.
The C|EH course itself is ver y focused on hacker tools. In fact
you could say
that the entire course is about tools. Theor y of how at tacks work is
given when
required, but the tools are the bread and but ter of this course. As
with many
hacking courses, the topics covered are sometimes more than a lit tle
outdated.
Some topics covered even date back to NT4 in places, and as such are not
always the most useful . The techniques are nice to know for historical
reference,
however the patches and upgrades to render these techniques useless have
been in place for many years now. When I took the course late last year,
I was
ver y disappointed in the structure of the course in general and
especially the
course material . Usually I complain that the course material is too
small and
doesn't cover enough. However in the case of C|EH it was the exact
opposite.
Weighing in at over 2300 pages, it was ver y far from a small book. In
fact , it
was 4 large books. Having read through most of the course material (I had a
free week over New Year) I can almost cer tainly say that the material
could be
slimmed down to less than half what it is now and as a result be much more
learning friendly. I hate to think what the new C|EH material is like,
as EC-Council
claim to have increased the modules in the new version 6 classes. The
speed at
which the course was covered previously means that ver y lit tle time is
spent going
into the f ine detail . With more modules I 'm not sure you'll have time
to read the
slides before moving onto the next .
If you have a basic understanding of hacker techniques and want
some hands on time
with the tools in class, then C|EH is a good place to star t . Being
able to use the tools against
live test systems will always teach you more than reading an example
in a book. I personally found
that due to the extensive content covered in the course, not enough
emphasis was
put on the practical side. With more time spent rushing through the
descriptions
of what tools do than anything else. If you're a beginner to the ethical
hacker game,
then becoming a C|EH may not be as easy as it looks. When taking the
exam I was surprised by the amount of questions that seemed not to have
been
covered in the exam material . You'd think that with 2300 pages to play
with, they'd
squeeze all the facts in somewhere, but no such luck. A good overall
knowledge
of IT and basic security theor y is required before at tempting the exam
in my
personal opinion. The exam was cer tainly harder than you would expect
from the
course content .
Af ter taking the live training at an authorized center, I 'd suggest
that if at all possible
the home study method is more suited to the C|EH material . There are
a number of books available for the
C|EH version 5 exam, and hopefully these will be updated to cover the
version 6
exam in the near future. EC-Council also of fers some of f icial CBT
training. I 've
had the displeasure of sit ting through this for a few hours, and can
only say
that it 's a few hours of my life that I 'd claim back if I could. The
deliver y is dr y,
almost as if it 's read from a script , and the overall content is ver y
poor. As an
alternative there are a number of ethical hacking CBT's available from
people
like CBTnuggets and VTC which seem much more appropriate and informative.
I found these videos ver y useful for a basic overview, but not enough
to pass
the exam without fur ther study in specif ic areas. Af ter all ,
watching a video is
never as good as get ting your hands dir ty yourself. As with the MCSE,
I would
recommend spending some time with the tools in a lab environment using
something like VMware. Some of the tools, especially Metasploit , are
complex
to learn at the fast pace you see them in class and take a while to
truly master.
Once you've passed your C|EH, EC-Council requires that you retain your
qualif ication by collecting ECE points. Although the system is
relatively new
and a lit tle confusing, the collection of points is not hard to do. As
long as
you're actively learning (read security books, listening to security
podcasts,
etc. . .) then you should build up enough points without too much
problem. The
points system seems a lit tle slanted in the favor of EC-Council , but
it 's beginning
to even itself out . Going to an EC-Council sponsored event will still
get you more
ECE points than something like Defcon or Blackhat , but I 'm sure this
will change
in the long run. Hopefully EC-Council will clarify the ECE points over
the next few
months and smooth out the system a lit tle. http://hakin9.org/app/files/download?attachment=at tachment1&model=Article&model_id=7189&portal_id =109

In this context you might consider Professional Penetration Testing
Creating and Operating
a Formal Hacking Lab by Thomas Wilhelm. There's a useful website
associated with it including
helpful forums: http://heorot.net/
The book includes a DVD with Two video courses are provided on the
DVD, which teach methodologies
used within a professional penetration test -- the ISSAF and the
OSSTMM. Five different servers are provided on the DVD, which can be
used to set up a
penetration test lab. The servers can be used as LiveCDs or VMs, saving
an immense amount of
time while building a lab and practicing hacking methods.
If you wander out to the site take a look at TheHackerdemia Project
This is a LiveCD that provides both an instructional platform (in the
form of a wiki)
and an attack target to practice newly acquired skills.
Also look at project De-ICE: This is an Open Source De-ICE Pentest
LiveCDs project. We present some of the various resources and links
available that support or discuss this project. Intended to provide
legal targets in which to practice and learn PenTest skills, these
LiveCDs are real servers that contain real-world challenges. Designed by
professional penetration testers, each disk provides a learning
opportunity to explore the world of penetration testing. Intended for
beginners and professionals alike.
Finally, if you don't have it yet, get the most recent version of
backtrack

I am not sure how much visibility you have to the world of information security but I would strongly suggest that you start with Security+. The preparation for this exam will give you insight into the infosec domains and is a good point to start. And you dont need to quit your job to do that :)

I would consider CEH "a bit" advanced and you should consider this only after you have a rough road map on where you want to go in this field...pen tester/auditor/etc.

Also note that there is nothing like on the job exposure, so look out for options in your current organization; most orgs will have information security related jobs.

Thanks for your suggestion... i took this decision long time ago, some 1 yr back... i am quite familiar with IS conceptual things but i don't have any practicle knowledge... i really like this subject, its very interesting!!!

I am preparing for Security+ on my own (CBT's, books n other stuff), i already did EC Council NSA (entry level certification in IS)...
i have gone CEH syllabus n i don't think i'll b able 2 prepare for it while continuing my job. In my organization, i don't c any scope for this particular field...

The only thing i havn't planned till now is wht kind of job i'll get after my CEH Certification... i have experience in Networking (not irrelevent to IS) but its not the same Domain where i wanna go... maybe Security Consultant kind of thing coz Pen Tester or IS Auditor is something out of my reach (at this moment) n nobody will hire a fresher for this kind of job...

I would suggest not to take break(Quitting Job) just for the sake of
preparing for cert... When you are going thru certs like security+ and CEH,
its always better you stay in your current job and explore something new in
your field of work and relate them to Infosec domain...

Getting your Security+ while you are still working is a better idea. You
can study at night for 2-4 weeks and take the test. Check out
Pass4forSure (http://www.pass4sure.com/) or Measureup
(http://www.measureup.com/), that is what we used study. Our pass rate
was 98%.

I would like to remind you if you have forgoten. Basically, IT security is not a seperate thing in IT but best done autonomously in an organisation not under any department but report to the Information owners.

It's good you're currently employed and doing something related to projects, thats is all you need to start and not by sitting in a class or at home doing the theory parts of security. All you just have to do is to understand for exanple the 10 domains of CISSP and choose the ones related to your job descriptions or applies to what you like doing.

RECOMMENDATIONS:
1. I will recommend you get a CISSP book probably by Shon Harris it comprises 10 security domains, read on your own before going for security training.
2. When you read this book try to visualise your enviroment and what you do for your client every day. This will help you to understand what the author is talking about.
3. Practice Security in your current evironment, be it Access Control Systems and Methodology, Telecommunications and Network Security,
Business Continuity Planning and Disaster Recovery Planning, Security Management Practices, Cryptography, Operations Security, Physical Security
4. Talk about it. Business owners and Clients want to hear what they can do to make their infrastructure secure and last longer.
5. Get your self updated with standard and best practices in the IT Security industry, and once in a while get to talk about it with your colleagues or Boss. Before you know pit eople will consult you for recommendations.

* Possess a minimum of five years of direct full-time security work
experience in two or more of the ten (ISC)??? information security
domains (CBK). One year may be waived for having either a
four-year college degree, a Master's degree in Information
Security, or for possessing one of a number of other
certifications from other organizations.^A candidate not
possessing the necessary five years of experience may earn the
Associate of (ISC)??? designation by passing the required CISSP
examination. The Associate of (ISC)??? for CISSP designation is
valid for a maximum of six years from the date (ISC)??? notifies the
candidate of having passed the exam. During those six years a
candidate will need to obtain the required experience and submit
the required endorsement form for certification as a CISSP. Upon
completion of the professional experience requirements the
certification will be converted to CISSP status... https://www.isc2.org/cissp-professional-experience.aspx

I read all your replies & then reanalyzed on what i am gonna do with my job & career... I'll think about not quitting job but the issue is I'm not able to concentrate on studies... its not like that I don't get time but issue is that i am not able get in the rhythm of studying... its kind of on-off thing... i m planning for Security+ exam in next month...

Now let me see CISSP book to decide what sub-domain i'll get into... as per my knowledge, my plan is clear...

Security+
RHCE
CEH

for my interest, I'll do CWNA also... I am quite good in Wireless LAN field so a Cert. is not gonna harm me in any ways :)

I know that its very tough to get a job, especially after this kind of long break but I am ok with that. I mean, I'll get a job even if the package & designation is less than what I have at this moment... On a long run, this small (1 or max 2 yrs) adjustment is acceptable...

Getting the Security+ is a great idea. Also you should look around your current employer for opportunities to join network security related projects, even if you only volunteer for a short period or just answer a few questions. Get to know the network security people and even ask them questions about their daily tasks and ask if you can shadow one of them for a little while because you want to move into security.

Moving from Installation and Deployment to Security will be challenging,
but very do-able. Infosec's points will be quite helpful in getting a grip
on "if" you want to actively pursue your career path. Every company will
have little differences which you will need either practical experience, or
the knowledge and skills to pick up quickly in a changing or diverse
environment.

With budgets shrinking, Linux is a logical solution for most companies, but
be careful as each flavor of Linux has its own set of built-in tools for
network management -- plus there are hundreds of different packages related
to security applications. Figuring out what tools and applications that are
used most often to secure a Linux environment will give you a leg up on
building a solid foundation for your future.

Obtaining the Cisco certs and Security+ will be essential - but as note
before when looking for Linux Certification stay as neutral as possible,
fine tuning your knowledge of the CLI and getting up to speed using the
Bash shell.

I would encourage you to spend time with your current team, even if its
before of after your regular works hours (if possible) and work side by
side with them; it may not keep you on your predetermined time line for
certification -- but it will assure you are prepared for the tasks in front
of you. Security is not really an job description, its a mindset. Prepare
-- Prepare and more Preparation!

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.